Zeus rival boasts of eluding tracker services, fails

Kaspersky Lab expert Jorge Mieres wrote yesterday about Ice IX – the first crimeware based on the leaked Zeus source code.

“Ice IX Botnet is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code,” he pointed out. “The latest version of Ice IX Botnet is 1.0.5, and it is selling for a very competitive $1800 in the underground markets.”

Intrigued by the write up, Swiss security expert Roman H??ssy – the man behind the Zeus Tracker service – decided to take a look for himself. He searched for someone selling Ice IX, and found a post about it on an underground forum.

It said that Ice IX is similar to Zeus since it’s base on a modified Zeus 2 core, but that it had enhanced firewall and protection bypassing capabilities and a new feature that allowed it to foil trackers when they try to download and analyze its configuration file.

But, as it turns out, this feature is worthless – by effecting a number of changes, he easily downloaded and decrypted Ice IX’s configuration file, and pinpointed two current Ice IX botnet controllers.